International Data Transfers under the UK GDPR – The UK adopts new transfer tools
On 21 March 2021, the UK adopted two documents governing the international transfer of personal data under the UK GDPR: the international data transfer agreement (IDTA) and the international data transfer addendum (the Addendum). These documents will serve as the main basis for international data transfers to countries lacking an UK ‘adequacy regulation’. Earlier in 2021, the EU Commission had already published a revised set of standard contractual clauses (SCCs) for transfers of personal data outside the European Economic Area under the EU GDPR. These clauses impose extensive obligations on both data importers and exporters stemming from the European Court of Justice’s Schrems II ruling. You can read more about the EU SCCs here.
Due to the UK’s exit from the EU, the new EU SCCs did not apply to mere UK-based businesses. Instead, transfers under the UK GDPR continued to be based on the old set of European SCCs. The new UK data transfer documents finally re-align the EU and UK data transfer regimes. In this post, we will explain these documents and their impact for businesses wishing to transfer personal data outside the UK.
International data transfers under UK GDPR
Just as the EU GDPR, Art. 46 (1) of the UK GDPR restricts transfers of personal data of data subjects residing in the UK to third countries whose level of personal data protection has not been classified as adequate. The countries concerning which the UK has adopted an adequacy regulation are published by the Information Commissioner Office’s here. Additionally, on 28 June 2021, the European Commission has issued two UK adequacy decisions. Consequently, personal data can be transferred between the EU and the UK without additional safeguards. The new IDTA and the Addendum are only relevant for transfers to third countries. Here, the transfer must be based on one of the appropriate safeguards listed in Art. 46 (2) and on the condition that enforceable data subject rights and effective legal remedies are available. Among other safeguards, businesses can now choose between the IDTA and the IDTA Addendum. Similar to the European SCCs, the IDTA constitutes an exhaustive agreement which can itself serve as an appropriate safeguard for the transfer. Conversely, the Addendum acts as addition to the EU SCCs. It can only be relied on in combination with the EU SCCs, essentially amending them to be usable for data stemming from the UK.
Zooming in: IDTA & Addendum
The IDTA is a rather lengthy but user-friendly document. It is drafted in plain language and largely composed of pre-drafted tables which the parties must merely complete with the details of the transfer. It further contains mandatory provisions that must remain unchanged. Similar to the EU SCCs, it imposes extensive contractual obligations on the parties, e.g., demanding the importer to inform the exporter about any relevant local laws and practices. Different to its European counterpart, the IDTA does not follow a modular approach. Hence, its clauses apply to all data transfers regardless of the relationship of the parties, e.g., controller to controller or controller to processor. Additionally, the UK opted for a wider personal scope of its IDTA compared to the European SCCs. The IDTA extends to data importers who are subject to the UK GDPR under its extraterritorial scope. Conversely, recital 7 of the EU SCCs prevents their application where the importer underlies the EU GDPR under its extraterritorial reach. Moreover, the IDTA allows parties to resolve potential disputes via arbitration.
Different to the IDTA, the Addendum is no standalone document. Instead, it must be used in combination with the EU SCCs to render a data transfer valid. Accordingly, the Addendum is much shorter (nine pages) and merely introduces amendments to the SCCs to adapt them to data flows stemming from the UK. As the IDTA, it is strikingly user friendly. Its language is easy to understand and its also follows a tabular structure, merely requiring parties to fill in the relevant information.
Which one to use?
UK-based businesses can freely opt to base their transfer of any of the two documents. Arguably, the IDTA is however of most value for businesses which only have to comply with the UK GDPR. Companies conducting business both in the UK and the EU must comply with both privacy regulations. Accordingly, they must already use the EU SCCs for many transfers anyway. For them, it is presumably less costly to simply add the Addendum where necessary as opposed to separately complete the IDTA.
Do not forget the TRA (TIA)
Importantly, having recourse to the IDTA or the Addendum does not free businesses from the obligation to conduct a transfer risk assessment (TRA) prior to each data transfer (transfer impact assessment, TIA in the EEA). This obligation stems from the Schrems II ruling and aims to assess that the country of destination offers a level of protection ‘essentially equivalent’ to the level in the EU. You can read more about the specifics of the EEA’s TIAs and how to conduct them here.
Timing
The ICO refers to both documents as ‘immediate of use’. Nevertheless, businesses benefit from a certain grace period. The old SCCs can be relied on in new data transfer contracts until 21 September 2022. Similarly, all transfers based on the old SCCs must be adapted to the IDTA or the Addendum by 21 March 2024 if the underlying processing operations remain unchanged. Where they change before, the IDTA or the Addendum must be entered into immediately.
What to do now?
If you are a UK-based business engaging in personal data transfer outside the UK, you should take proactive steps to ensure continued compliance with the new data transfer regime as soon as possible. Firstly, it is advisable to review all your data transfers and obtain an overview of the relevant safeguards on which these transfers are currently based on. Then, try to assess which of the new documents is best suited to replace the old safeguards. Until now, the ICO has published no further guidance on the two documents. However, it already announced to soon issue clause-by-clause guidance for both documents as well as guidance on the Transfer Risk Assessment. Make sure to thoroughly read these once adopted. Lastly, consider the prescribed transition periods and plan ahead as to when which ongoing data transfer contract should be updated to the IDTA or the Addendum.
Consequently, international data transfers remain an important topic within the international data protection sphere. The new UK documents should be welcomed as means to further streamline the EU and UK privacy regimes and ensure a high level of personal data protection across Europe. Further ICO guidance on the topic must be eagerly awaited to seek more clarity concerning the documents’ practical implementation. In the next post, we will dive deeper into the IDTA and address how to complete the agreement to ensure a valid data transfer.